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CRYPTOGRAPHIC TECHNIQUES 
FOR A COMMUNICATIONS NETWORK 

Technical Field 

The present invention relates generally to 
cryptographic techniques for use in a communications 
network such as a wireless communications network. 

Background Art 

First generation wireless communications networks 
were based on analog technologies such as the Advanced 
Mobile Phone Service (AMPS) . Second generation wireless 
communications networks introduced digital 
communications technologies such as the Global System 
Mobile (GSM) , IS-13 6 Time Division Multiple Access 
(TDMA) , and IS-95 Code Division Multiple Access (CDMA) . 
Authentication and Key Agreement (AKA) protocols were 
developed for first and second generation networks to 
prevent theft of cellular telephone service, to provide 
subscriber voice privacy, and provide other security 
features. 

FIG. 1 illustrates a typical cellular telephone or 
Personal Communication Services (PCS) network. A 
subscriber, using a Mobile Station (MS) 130 (e.g., a 
cellular phone) , can roam outside of the area covered by 
their Home Environment (HE) 110 network and obtain 
wireless communications service from a Serving Network 
(SN) 120. The HE 110 and SN 120 networks typically 
include a switch, base station, and other components 
(not shown), as is known in the art. As is known in the 
art, the HE 110, SN 120, and MS 130 are controlled by 
software, firmware, and/or hardware instructions. 
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The MS 13 0 often features a removable Universal 
Subscriber Identity Module (USIM) that resides in the MS 
130 to store subscriber information such as a 
subscriber's identity, secret key information, and so 
5 forth. To simplify descriptions herein, the USIM is 
considered part of MS 130. However, a subscriber can 
transfer their USIM into other MS-s 130 to obtain 
service . 

An AKA protocol for second generation wireless 

10 communication networks provides MS 130 to SN 120 

authentication. In a typical GSM system, the HE 110 and 
MS 130 share a common 128-bit secret key K. To enable 
roaming privacy and authentication, HE 110 passes an 
authentication vector including three pieces of 

15 cryptographic data to a SN 120. Each vector includes a 
random challenge, response, and privacy key. 

When MS 13 0 requests service, SN 120 transmits the 
random challenge over the air to the MS 13 0. MS 13 0 
combines the random challenge with the secret key K 

20 using a cryptographic primitive (e.g., a hash function) 
to generate the response. MS 130 transmits the response 
to SN 12 0 which compares the response value received 
from MS 130 with the response value provided by HE 110. 
If the response values are equal, SN 120 provides system 

25 access to MS 130. MS 130 also uses the random challenge 
and K to create a privacy key that is identical to the 
privacy key sent from HE 110 to SN 120 as part of the 
cryptographic triplet. With the same privacy key, SN 
12 0 and MS 13 0 can securely communicate. In this 

30 scheme, the SN 12 0 need not implement a cryptographic 
primitive (e.g., a hash function). 
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A third generation AKA mechanism adopted by the 
Third Generation Project Partners (3GPP) enhances the 
original GSM AKA mechanism by enabling mutual 
authentication between SN 120 and MS 130. The 3GPP AKA 
5 mechanism replaces the GSM crypto- triplet vector with a 
crypto-quintet authentication vector (AV) to facilitate 
MS/SN mutual authentication. 

FIG. 2 illustrates formation of an AV by an HE 110. 
As shown, the AV includes five components concatenated 
10 together: (1) the random challenge (RAND), (2) an 

expected response (XRES) , (3) a cipher key (CK) , (4) an 
integrity key (IK), and (5) an authentication token 
(AUTN) . AUTN includes three components: (1) an 
exclusive-or of a sequence number (SQN) and anonymity 
15 key (AK) , (2) a MODE value, and (3) a message 

authentication code (MAC) . The sbqubucb number 
indicates the AVs position in a sequence of AVs . 
Functions fl through f5 are derived using a 
cryptographic primitive shared between HE 110 and MS 
20 130. Different values of primitive constants or 

parameters control which function, fl through f5, the 
primitive provides. 

When roaming, a MS 13 0 may be authenticated each 
time a MS 130 owner places a call. Thus, typically, an 
25 HE 110 sends multiple AVs to SN 120 to enable multiple 
authentications between SN 120 and MS 130. 

FIG. 3 illustrates SN 120 authentication in 3GPP 
AKA. To authenticate SN 120, the MS 130 and HE 110 keep 
track of counters SQN MS and SQN HE - When HE 110 generates 
30 an AV, SQN HE is incremented. MS 13 0 authentication of SN 
120 is performed by ensuring that SQN in each new AV is 
greater than SQN in the previous AV. The MS 13 0 also 
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verifies that SQN HE originated from the HE 110 by 
verifying the MAC in the AUTN. 

It is possible for the SQN counter in HE 110 and MS 
12 0 to lose synchronization. For this reason, the 3GPP 

5 AKA mechanism has SQN re-synchronization procedures. If 
K is reset or replaced for a particular USIM, SQN can be 
reset at the HE 110 and MS 130. 

FIG. 4 illustrates the flow of a typical 3GPP AKA 
mechanism. When MS 130 requests service from SN 120, SN 

10 120 sends (step 2 02) an authentication request to HE 
130. Upon receiving the request associated with a 
particular MS 130, HE 110 generates (step 204) an array 
of AVs for that particular MS 130. HE 110 sends (step 
206) the AVs to SN 120 which, in turn, stores (step 208) 

15 the AVs in its Visitor Location Register (VLR) . SN 120 
selects (step 210) the first sequential AV(i) (e.g., i = 
1) and sends (step 212) RAND(i) and AUTN(i) to MS 130. 
MS 130 verifies (step 214) AUTN(i) and computes RES(i). 
If SQN(i) is greater than SQN MS , MS 13 0 successfully 

20 authenticates SN 120. MS 130 sends (step 216) RES(i) to 
SN 120. SN 120 compares (step 218) RES(i) with XRES(i). 
If RES and XRES are equal, SN 120 has successfully 
authenticated MS 130. Finally, MS 130 computes (step 
220) CK(i) and IK(i) while SN 120 selects CK(i) and 

25 IK ( i ) . 

FIG. 5 illustrates a cryptographic key hierarchy of 
the 3GPP AKA mechanism. A secret key K is the root 
secret shared only between the HE 110 and MS 130. 
Whenever mutual authentication is performed, a cipher 
30 key (CK) is generated to facilitate voice and data 
privacy. Additionally, an integrity key (IK) is 
generated to facilitate message authentication. 
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The North American Telecommunications Industry- 
Association (TIA) TR-45 standards group has based AKA on 
a shared secret between HE 110, SN 120, and MS 130. in 
a TR-45 cellular/PCS network, HE 110 sends Shared Secret 
Data (SSD) to SN 120 to enable MS 130 to SN 120 
authentication. SSD is derived from an Authentication 
key (A-key) , shared between HE 110 and MS 130 only. The 
A-key is analogous to the GSM secret key K. SSD 
consists of SSD-A, used for MS 130 challenge-response 
authentication, and SSD-B, used for SN/MS voice and data 
privacy. When MS 13 0 requests service from SN 120, HE 
110 sends SSD to SN 120. With SSD, SN 120 can 
authenticate MS 130, until SSD is updated between HE 110 
and MS 13 0. 

Unlike a GSM network where SN 120 continuously 
requests new vectors of crypto- triplets to perform MS 
130 authentication, SN 120 in a TR-45 network acquires 
unique SSD from HE 110 and uses SSD for the duration 
that MS 13 0 operates within the SN 120 area. Ideally, 
SSD update is performed between HE 110 and MS 130 after 
MS 130 leaves the SN 120 area to establish a new SSD, 
preventing SN 12 0 from knowing an SSD used by another 
service network. Unfortunately, many service providers 
do not update SSD frequently, allowing many service 
providers to know SSD-A which is the authentication 
secret for TR-45 cellular telephones. 

The TIA TR-45 is considering adoption of the 3GPP 
AKA for TR-45 networks to support global harmonization 
of wireless communication standards. To retain the 
advantages of using a shared secret like SSD, the TR-45 
is considering using the 3GPP IK key as SSD for third 
generation TR-45 wireless networks. 
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Additionally, the TR-45 is considering the adoption 
of the Long-term Enhanced Subscriber Authentication 
(LESA) AKA in which interlocking challenges provide 
mutual authentication between SN 120 and MS 130. In the 
5 LESA AKA mechanism, SN 120 sends a random number R N to MS 
130. MS 130 generates a second random number R M . MS 130 
computes a response to SN 12 0 by combining R N , R M , and 
SSD in a cryptographic primitive. MS 13 0 sends the 
response and random number R M to SN 120. With R M , SN 120 

10 computes the same response, authenticating MS 130. Then 
SN 12 0 computes a second response for MS 13 0 by 
combining R M and SSD in the cryptographic primitive. SN 
120 sends the second response to MS 130. MS 130 
verifies the second response, authenticating SN 120. 

15 Finally, 3GPP has considered an AKA mechanism 

similar to the LESA AKA, known as Authentication based 
on a Temporary Key (A-TK) . The A-TK AKA mechanism uses 
a procedure of interlocking challenges between HE 110 
and MS 130 to establish a temporary key (KT) . Once KT 

20 is established, SN 120 uses traditional challenge- 
response to authenticate MS 13 0. MS 13 0 authentication 
of SN 120, however, is not performed explicitly, but is 
implicitly achieved by the establishment of CK and IK 
based on random numbers provided by SN 120 and MS 130. 

25 

Disclosure of Invention 

Techniques are described for enabling 
authentication, key agreement, and/or encrypted 
communication between communications network stations 
30 and service networks . The techniques described herein 
can include the negotiation and use of a cryptographic 
primitive shared between a service network and a home 
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environment of a station. The techniques described also 
include use of a key usage indicator, such as a sequence 
number, maintained by the service network and a station. 
Comparison of the key usage indicators can, for example, 
permit efficient authentication of the service network 
by the station without undue burden on a home 
environment network of the station. 

In general, in one aspect, the invention features a 
method for use in authenticating a service network to a 
station. The method includes storing a key at the 
service network and transmitting information to the 
station that enables the station to compute the key 
stored at the service network. The method also includes 
receiving a request for service at the service network 
from the station, adjusting a value corresponding to key 
usage, and 

transmitting information corresponding to the value to 
the station. 

Embodiments may include one or more of the 
20 following features. The method may include receiving a 
vector of authentication information from the home 
environment network of the mobile station. The vector 
includes an indication of the vector's position in a 
sequence of vectors. The information transmitted to the 
station that enables the station to compute the key 
stored at the service network may include one or more 
portions of the received vector of authentication 
information. The received vector of authentication 
information can include the key stored by the service 
network. The method may further include computing, at 
the service network, the key stored by the service 
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network based on information included in the received 
vector . 

Adjusting a value indicating use of the key can 
include incrementing a sequence number corresponding to 
5 a number of t imes the key has been used. The method may 
further include using the key to compute a cipher key 
for encrypting communication between the service network 
and the station. The method may also include 
negotiating use of a cryptographic primitive between the 
10 service network and the home environment network. 

In general, in another aspect, the invention 
features a method for use in authenticating a service 
network to a station. The method includes computing a 
key, stored by the service network, based on information 
15 received at the station from the service network. The 

station maintains an indicator of key usage. The method 
includes receiving at the station an indicator of key 
usage maintained by the service network and comparing 
the key usage indicator maintained by the service 
20 network with the key usage indicator maintained by the 
station . 

Embodiments may include one or more of the 
following features. The method may further include 
maintaining an authentication vector sequence number at 

25 the station, receiving at the station from the service 
network an indication of an authentication vector 
sequence number maintained by the home environment 
network, and comparing the authentication vector 
sequence number maintained by the home environment 

30 network with the received authentication vector sequence 
number maintained by the station. The method may 
include receiving from the service network 
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identification of a cryptographic primitive. The method 
may include using the key to compute a cipher key for 
encrypting communication between the service network and 
the station. 

In general, in another aspect, the invention 
features a method for use in authentication in a 
communications network including a home environment 
network, a service network, and a station. The method 
includes determining at the home environment network a 
cryptographic primitive offered by the service network 
and transmitting to the service network at least one 
vector of authentication information corresponding to a 
particular station. 

Embodiments may include one or more of the 
following features. Determining may include receiving 
identification of the cryptographic primitive from the 
service network, for example, as a value of a MODE 
field. The vector of authentication information may 
include an indication of an authentication vector 
sequence number maintained by the home environment 
network . 

In general, in another aspect, the invention 
features a method for use by a mobile station that can 
communicate with different service networks. The method 

25 includes storing different sets of cryptographic 
information for the different respective service 
networks, selecting a set of cryptographic information 
for one of the service networks, and using the selected 
set of cryptographic information to communicate with the 

30 service network. 

Embodiments may include one or more of the 
following. The sets of cryptographic information may 
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include a key shared by the station and the service 
network. The method may include computing the key 
shared by the station and the service network based on 
information received from the service network. The sets 
5 of cryptographic information may include an indicator of 
usage of the key. Using the selected set of 
cryptographic information may include using the selected 
set of cryptographic information in encrypting 
communication between the station and the service 
10 network. 

In general, in another aspect, the invention 
features a method of handling authentication and key 
agreement in a system including a home environment 
network, a service network, and a mobile station in 
15 which the home environment network and the mobile 
station share a secret key K. The method includes 
determining whether the home environment and the service 
network share a cryptographic primitive. If it is 
determined that the home environment and the service 
20 network do not share a cryptographic primitive, the 

method handles authentication and key agreement between 
the mobile station and the service network using 3GPP 
(Third Generation Project Partners) AKA (authentication 
and key agreement) . If it is determined that the home 
25 environment and the service network share a 

cryptographic primitive, handling authentication and key 
agreement by computing a shared secret key (SSK) , 
transmitting information from the service network to the 
station that enables the station to compute the SSK, and 
30 replacing the use of K in the 3GPP AKA with SSK. 
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Advantages will become apparent in view of the 
following description, including the figures and the 
claims . 

5 Brief Description of Drawings 

FIG* 1 is a block diagram of a communications 
network according to the prior art; 

FIG. 2 illustrates generation of an authentication 
vector according to the prior art; 
10 FIG. 3 illustrates authentication of a service 

network according to the prior art; 

FIG. 4 is a flow-chart of an authentication and key 
agreement process according to the prior art; 

FIG. 5 illustrates a cryptographic key hierarchy 
15 according to the prior art; 

FIG. 6 is a flowchart of an initial authentication 
and key agreement process used to generate a shared 
secret K; 

FIG. 7 is a flowchart of a mutual authentication 
20 mechanism using a shared secret K; 

FIG. 8 illustrates generation of an authentication 
token; 

FIG. 9 illustrates authentication of a service 
network using a temporary sequence number; 
25 FIG. 10 illustrates generation of a shared secret; 

FIG. 11 illustrates a cryptographic key hierarchy; 
FIG. 12 illustrates generation of a shared secret 
authentication vector by a home environment; 

FIG. 13 illustrates a cryptographic key hierarchy ; 
30 FIG. 14 illustrates a mobile station straddling 

bordering cells of different service networks; and 
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FIG. 15 is a flowchart of a mobile station process 
for handling communication with a service network. 

Best: Mode for Carrying Out the Invention 

5 Described herein are techniques that can securely, 

efficiently, and robustly handle authentication and key 
agreement in a communications network such as a wireless 
communications network. In particular, the techniques 
described herein can enhance traditional 3GPP AKA by 

10 giving service providers the option to use traditional 
3GPP AKA or an optional AKA mechanism. The present 
invention is not limited to wireless applications, and 
can also be used in other networks such as electronic 
toll systems, internet access terminals, cable TV and 

15 data networks, and other networks in which a service 
provider allows subscribers to use another service 
provider's network. For purposes of the following 
description, the techniques are described with respect 
to a wireless communications network. However, the 

20 description should be understood as applying to other 
networks or devices, such as the ones discussed above. 

In one aspect, the invention features an optional 
3GPP AKA mechanism that can be used in conjunction with 
the traditional 3GPP AKA. In the optional 3GPP AKA, a 
25 HE 110 and SN 120 share at least one common 

cryptographic primitive. For example, HE 110 and SN 12 0 
may both use SHA-1 or MD-5 as a cryptographic hash 
function . 

The optional 3GPP AKA can include procedures that 
30 allow for primitive negotiation, for example, between 
the HE 110 and SN 120. For example, a one byte MODE 
field can store data identifying the AKA cryptographic 

12 
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primitive or set of AKA cryptographic primitives offered 
by an HE 110, SN 12 0, or MS 12 0. For example, a MODE 
field value of M S M can represent a request for 
communication using a shared SHA-1 primitive. The SN 
120 authentication data requests can also include a 
primitive version identifier. 

As will be appreciated by those of skill in the 
art, a field other than the MODE field may be used to 
facilitate AKA primitive negotiation between elements of 
the communication network. Additionally, as those of 
skill in the art will appreciate, a wide variety of 
alternate information exchanges can be used to negotiate 
a shared primitive. For example, either the HE 110 or 
SN 120 may initiate negotiation. Similarly, either the 
HE 110 or SN 120 may initially identify the 
cryptographic primitive (s) it offers. 

If HE 110 and SN 120 do not share a common AKA 
primitive (e.g., if HE 110 determines that it does not 
provide the primitive identified in an SN 12 0 request 
for AVs), standard 3GPP AKA is performed instead of the 
optional 3 GPP AKA mechanism described below. If HE 110 
and SN 120 share a common AKA primitive, the optional 
3GPP AKA mechanism, may be used to increase the 
efficiency of mutual authentication between the MS 130 
25 and SN 120. 

FIG. 6 illustrates the flow of an optional AKA 
mechanism that can reduce the amount of Authentication 
Vector (AV) traffic by establishing a Shared Secret K 
(SSK) between the MS 130 and SN 120 using one AV. As 
shown, when MS 130 requests service from SN 120, SN 120 
sends .(step 602) an authentication request to HE 130 
indicating that a common primitive is available. Upon 
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receiving the request associated with a particular MS 
13 0 and noting the indication of a shared primitive 
(e.g., HE 110 offers the same primitive as indicated by 
the MODE field) , HE 110 generates (step 604) at least 
5 one AV associated with that particular MS 130. After 
generating (step 604) the AV, the HE 110 sends (step 
606) the AV to SN 120. SN 120 stores the AV in its 
Visitor Location Register (VLR) and generates (step 608) 
SSK(i). After initial communication, communication 
10 between the SN 120 and MS 130 will depend on both 
computing the same SSK(i). 

After selecting (step 610) an AV(i), SN 120 sends 
(step 612) RAND(i) and AUTN ( i ) of AV(i) to MS 13 0. MS 
13 0 verifies AUTN ( i ) and computes (step 614) RES(i) (see 
15 FIG. 3) . If SQN(i) is greater than SQN MS , MS 13 0 

successfully authenticates SN 120. MS 130 sends (step 
616) RES(i) to SN 120. SN 120 then compares (step 618) 
RES(i) with XRES(i). If RES and XRES are equal, SN 120 
has successfully authenticated MS 130. Finally, MS 130 
20 computes CK(i) and IK(i) while SN 120 selects (step 620) 
CK ( i ) and IK ( i ) . 

After establishing SSK and performing the initial 
AKA, the standard AKA protocol between SN 12 0 and 
MS/USIM 130 is modified by replacing Ki with SSKi for AKA 
25 calculations between the SN 12 0 and MS 13 0 for the 
duration of MS roaming. The protocol is further 
modified by using a Temporary SQN (TSQN) established 
between the SN 120 and MS/USIM 13 0 for the duration of 
MS 13 0 roaming in the SN 120 network area. 
30 FIG. 7 illustrates how subsequent authentications 

are performed between SN 12 0 and MS 13 0, for example, in 
response to a MS 130 request for service from SN 120. 

14 
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SN 120 generates (step 702) RAND(i) and generates 
TAUTN(i) using SSK(i) (see FIG. 8). SN 120 sends (step 
704) RAND(i) and TAUTN(i) to MS 130, for example, with 
MODE = SHA-1. MS 13 0 verifies (step 706) TAUTN(i) and 
5 computes RES(i) (see FIG. 9). If TSQN SN (i) is greater 

than TSQN M s/usiM, MS 130 successfully authenticates SN 120. 
MS 130 sends (step 708) RES(i) to SN 120. SN 120 
compares (step 710) RES(i) with XRES(i). If RES and 
XRES are equal, SN 120 has successfully authenticated MS 
10 130. MS 130 computes (step 712) CK(i) and IK(i). SN 
120 computes (step 714) CK(i) and IK(i). 

Just as SQNi uniquely increments for a K it TSQN A 
uniquely increments for an SSKi . Thus for a unique SSK, 
the MS 13 0 maintains a uniquely incrementing TSQN to 
15 facilitate mutual authentication between the MS 130 and 
SN 120. While TSQN increments each time the same SSK is 
used for communication between an SN and MS, TSQN 
increments for a relatively short period of time 
compared with SQN, lessening the chance mis- 
20 synchronization. Additionally, TSQN need not impact the 
maintenance of SQN within the HE 110 and MS/USIM 130. 
TSQN can automatically reset when a new SSK (associated 
with a particular SN 120 is formed. This approach can 
eliminate the TR-4 5 problem of having to update SSD. 
25 As described above, TSQN is a sequence number. 

However, other values indicating key usage may be 
featured. For example, adjusting the value may feature 
decrementing instead of incrementing a numeric value. 
Additionally, the value need not be restricted to 
30 numbers but may instead feature a character or boolean 
value . 
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A HE/ SN pair, sharing a common primitive, can 
choose to utilize this scheme if they desire. However, 
even if HE 110 and SN 12 0 share a common AKA primitive, 
the HE 110 can utilize the standard 3GPP AKA mechanism 
5 and pass multiple AVs to SN 120. 

The HE 110 may pass one or more AVs to SN 120 with 
the MODE value indicating standard 3GPP AKA. The SN 
120, however, after the initial standard AKA setup, can 
use a common AKA primitive MODE value (e.g. SHA-1) to 
10 notify the MS 130 to use SSK and TSQN when utilizing the 
modified 3GPP AKA. Prior to initiating the optional AKA 
scheme, the SN 120 may determine if the MS 13 0 supports 
(e.g., includes instructions for) the optional scheme, 
for example, based on MS 13 0 identification information 
15 transmitted by the MS 120. Additionally, the MS 130 can 
transmit a message to the SN 12 0 declining use of the 
optional scheme, for example, if the MS 130 does not 
provide the primitive identified by the SN 120 in the 
MODE field. 

20 FIG. 10 illustrates an example of SSK generation. 

As shown, SSK can be generated using IK and RAND where 
f3 is the generating function (e.g. SSK = f3 IK (RAND)). 
SSK may also be generated using a new function f6 
derived from the shared cryptographic primitives (s) if 

25 desired. 

FIG. 11 illustrates a cryptographic key hierarchy 
for the optional 3GPP AKA mechanism. A secret key K is 
the root secret shared between the HE 110 and MS 130. 
When mutual authentication is first performed between SN 
30 120 and MS 130, a CK is generated to facilitate voice 
and data privacy and an IK is generated to facilitate 
message authentication. SSK can be derived from IK 
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using function f 3 . For all subsequent SN 120 network 
accesses, CK and IK are derived from SSK. 

FIG. 12 illustrates a different optional AKA 
mechanism. As shown, SSK may be generated using a new 
5 function f6 (e.g. SSK = f 6 K ( RAND) ) . When using the new 
function, SSK can be generated by HE 110. HE 110 can 
include the generated SSK in the AV. With SSK included 
in the AV, the AV is defined as Shared Secret AV (SSAV) . 
A SN 12 0 receiving SSAV can simply extract SSK instead 
10 of independently computing SSK. The MS 13 0, however, 
still independently determines SSK from AV information 
transmitted by SN 120 to the MS 130. 

After initial MS/SN mutual authentication and SSK 
generation, the SN 12 0 and MS/USIM 13 0 use SSK and TSQN 
15 for subsequent authentications as shown in Figure 7. 
Resynchronization of TSQN is not necessary because SN 
120 can query HE 110 for a new SSAV, perform standard 
3GPP AKA and establish a new SSK with a TSQN reset. The 
SN 130 may request multiple AVs from the HE 110 
20 initially to allow for new SSK formation and TSQN reset. 

FIG. 13 illustrates the cryptographic key hierarchy 
when SSK is formed by HE 110 using RAND and K. Although 
SSAV is larger than AV, HE 110 and SN 120 traffic is 
reduced in comparison to the original 3GPP AKA mechanism 
25 because only one SSAV is sent to SN 12 0 for roaming 
authentication. By generating SSK from RAND and K, 
instead of from RAND and IK, AKA mechanism security is 
improved. Thus, SSK can be derived from IK for improved 
efficiency or from K for improved security. 
30 FIG. 14 illustrates another aspect of the invention 

that provides support for border cell operations. As 
shown, the MS 130 can store different cryptographic 
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elements (e.g., SSK/TSQN pairs) for different SNs 120. 
By storing multiple SSK/TSQN pairs with each pair 
associated with a different SN 120, the MS 130 can 
straddle the border between multiple systems without 
5 requiring VLR-to-VLR AV sharing, SSD sharing, or SSD 
update . 

As shown in FIG. 14, MS 13 0 straddles between areas 
served by two different serving networks. MS 130 uses 
SSK SN _ A for service from serving network A (SN-A) and 

10 SSK sn -b for service from serving network B (SN-B) . The MS 
130 may store identification of a SN and the respective 
SSK/TSQN pair being used. Thereafter, the 130 may 
identify the SN providing service to retrieve the 
appropriate pair. 

15 SSK freshness depends on the SN 120 VLR and MS 130 

rules. For example, the SN 120 may chose to store SSK 
for up to a week of inactivity. The MS 130 may store 
multiple SSK/TSQNs in a queue (five pairs or more) using 
first-in-first-out (FIFO) . This technique may be ideal 

20 for travelers moving between multiple systems and 

countries within a brief period of time. In the event 
the MS 13 0 deletes SSK sn -a before SN-A deletes SSK SN _ A , the 
MS will recognize that SN-A is attempting the optional 
3GPP AKA (e.g., MODE - SHA-1), issue a user 

25 authentication reject, and await standard 3GPP AKA to 
establish a new SSK with SN-A. 

FIG. 15 is a flowchart of a process for using 
cryptographic data associated with different cells. As 
shown, a MS stores (step 1502) cryptographic data, such 

30 as SSK/TSQN pairs, for different service networks. 

After determining (step 1504) a SN providing service, 
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the MS can access and use the associated cryptographic 
data, for example, for authentication and encryption. 

The techniques described above can, potentially, 
offer significant benefits for networks such as 3GPP and 
5 TR-4 5 (3GPP2) networks. For example, the techniques can 
allow for standard 3GPP AKA or modified 3GPP AKA at a 
service provider's discretion. The techniques can offer 
mutual authentication based on a publicly scrutinized 
cryptographic primitive. Potentially, techniques can 

10 reduce HE/ SN AV traffic when a common AKA primitive is 

shared between HE and SN. The techniques can reduce the 
probability of SQN re-synchronization problem by using 
TSQN. The techniques can also reduce the need for SSD 
update in TR-45 networks, can reduce the vulnerability 

15 of fixed SSD by ensuring new SSK formation between MS 

and SN, can reduce cryptographic export /import concerns 
for the United States and other countries interested in 
adopting TR-45 standards, and can reduce the need for 
VLR-to-VLR AV sharing, SSD sharing, and SSD update for 

20 border cell operations. 
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Claims : 

1. A method for use in authenticating a service 
network to a station, the station having a home 

5 environment network, the method comprising: 
storing a key at the service network; 
transmitting information to the station from the 

service network that enables the station to compute the 

key stored at the service network; 
10 receiving a request for service at the service 

network from the station; 

adjusting a value corresponding to key usage; and 
transmitting information corresponding to the value 

to the station. 

15 

2. The method of claim 1, 

further comprising receiving a vector of 
authentication information from the home environment 
network of the station, the vector including an 
20 indication of the vector's position in a sequence of 
vectors; and 

wherein transmitting information to the station 
that enables the station to compute the key stored at 
the service network comprises transmitting portions of 
25 the received vector of authentication information. 

3. The method of claim 2, wherein the received 
vector of authentication information comprises the key 
stored by the service network. 

30 

4. The method of claim 2, further comprising 
computing at the service network the key stored by the 
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service network based on information included in the 
received vector. 

5. The method of claim 1, wherein adjusting a 

5 value indicating use of the key comprises incrementing a 
sequence number corresponding to a number of times the 
key has been used. 

6. The method of claim 5, wherein the value 
10 comprises a TSQN (Temporary Sequence Number) . 

7. The method of claim 1, wherein 

the station comprises a cellular phone; and 
the service network and home environment networks 
15 comprise cellular networks. 

8. The method of claim 1, further comprising using 
the key to compute a cipher key for encrypting 
communication between the service network and the 

20 station. 

9. The method of claim 1, further comprising 
negotiating use of a cryptographic primitive between the 
service network and the home environment network. 



25 



30 



10. The method of claim 1, further comprising 
transmitting a challenge to the station ; 
receiving a challenge response from the station; 



and 



comparing the received challenge response with an 
expected response. 
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11. The method of claim 1, further comprising: 
computing the key stored by the service network at 

the station; 

receiving the information indicating the value 
5 corresponding to key usage at the station; and 

comparing the received value with a value 
corresponding to key usage maintained by the station. 

12 . A method for use in authenticating a service 
10 network to a station, the station having a home 

environment network, the method comprising: 

receiving information at the station from the 

service network; 

computing a key based on the information received 
15 at the station from the service network, the computed 

key also being stored by the service network; 

maintaining an indicator of key usage at the 

station; 

receiving at the station an indicator of key usage 
20 maintained by the service network; and 

comparing the key usage indicator maintained by the 
service network with the key usage indicator maintained 
by the station. 

25 13. The method of claim 12, further comprising: 

maintaining an authentication vector sequence 
number at the station; 

receiving at the station from the service network 
an indication of an authentication vector sequence 
30 number maintained by the home environment network; and 

comparing the authentication vector sequence number 
maintained by the home environment network with the 
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received authentication vector sequence number 
maintained by the station. 

14. The method of claim 13, further comprising 
receiving from the service network identification of a 
cryptographic primitive. 

15. The method of claim 12, wherein 
the station comprises a cellular phone; and 
the service network and home environment network 

comprise cellular networks . 

16. The method of claim 12, further comprising: 
using the key to compute a cipher key for 

encrypting communication between the service network and 
the station. 

17. The method of claim 12, further comprising: 
receiving a challenge from the service network ; 
determining a challenge response; and 
transmitting the challenge response to the service 

network . 

18. The method of claim 12, wherein maintaining an 
25 indicator of key usage at the station comprises 

maintaining a key sequence number counter. 

19. A method for use in authentication in a 
communications network including a home environment 

30 network, a service network, and a station, the method 
comprising: 
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determining at the home environment network a 
cryptographic primitive offered by the service network; 
and 

based on the determined cryptographic primitive, 
5 transmitting to the service network at least one vector 
of authentication information corresponding to a 
particular station . 

20. The method of claim 19, wherein determining 

10 comprises receiving identification of the cryptographic 
primitive from the service network. 

21. The method of claim 20, wherein the 
identification comprises a value of a MODE field. 

15 

22. The method of claim 19, wherein the vector of 
authentication information comprises an indication of an 
authentication vector sequence number maintained by the 
home environment network. 

20 

23. The method of claim 22, wherein the vector of 
authentication information comprises a challenge and an 
expected response. 

25 24 . A method for use by a mobile station that can 

communicate with different service networks, the method 
comprising : 

storing different sets of cryptographic information 
for the different respective service networks ; 
30 selecting a set of cryptographic information for 

one of the service networks; and 
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using the selected set of cryptographic information 
to communicate with the service network. 

25. The method of claim 24, wherein the sets of 
cryptographic information comprise a key shared by the 
station and the service network. 



26. The method of claim 25, further comprising 
computing the key shared by the station and the service 

10 network based on information received from the service 
network . 

27. The method of claim 25, wherein the sets of 
cryptographic information comprise an indicator of usagi 

15 of the key. 

28. The method of claim 27, wherein the indicator 
of usage comprises a sequence number. 



20 29 - The method of claim 27, further comprising: 

receiving from the service network an indicator of 
key usage; and 

comparing the received indicator of key usage with 
the indicator of key usage included in the selected set 
25 of cryptographic information. 

30. The method of claim 25, wherein using the 
selected set of cryptographic information comprises 
using the selected set of cryptographic information to 
30 authenticate the service network. 
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31. The method of claim 25, wherein using the 
selected set of cryptographic information comprises 
using the selected set of cryptographic information in 
encrypting communication between the station and the 

5 service network. 

32. A method of handling authentication and key 
agreement in a system including a home environment 
network, a service network, and a mobile station, the 

10 home environment network and the mobile station sharing 
a secret key K, the method comprising: 

determining whether the home environment and the 
service network share a cryptographic primitive; 

if it is determined that the home environment and 
15 the service network do not share a cryptographic 

primitive, handling authentication and key agreement 
between the mobile station and the service network using 
3GPP (Third Generation Project Partners) AKA 
(authentication and key agreement) ; and 
20 if it is determined that the home environment and 

the service network share a cryptographic primitive, 
handling authentication and key agreement by: 
computing a shared secret key (SSK) ; 
transmitting information from the service 
25 network to the station that enables the station to 
compute the SSK; and 

replacing the use of K in the 3GPP AKA with 

SSK. 
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